|
Security Incidents
mailing list archives
SNMP Scans
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Mon, 5 Mar 2001 12:52:54 -0800
It's started...
With all of those Cisco SNMP advisories from last week, it looks like
some kids are scanning for SNMP-enabled devices.
1Mar2001 1:14:14 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC2.1:snmp 265
1Mar2001 1:14:14 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC3.1:snmp 265
1Mar2001 1:14:14 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC4.1:snmp 265
1Mar2001 1:14:14 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC5.1:snmp 265
1Mar2001 2:35:54 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC2.3:snmp 265
1Mar2001 2:35:54 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC3.3:snmp 265
1Mar2001 2:35:54 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC4.3:snmp 265
1Mar2001 2:35:54 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC5.3:snmp 265
1Mar2001 3:18:22 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC2.4:snmp 265
1Mar2001 3:18:22 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC4.4:snmp 265
1Mar2001 3:18:22 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC5.4:snmp 265
1Mar2001 4:03:52 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC2.5:snmp 265
1Mar2001 4:03:52 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC3.5:snmp 265
1Mar2001 4:03:52 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC4.5:snmp 265
1Mar2001 4:03:52 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC5.5:snmp 265
1Mar2001 5:00:49 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC2.6:snmp 265
1Mar2001 5:00:49 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC3.6:snmp 265
1Mar2001 5:00:49 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC4.6:snmp 265
1Mar2001 5:00:49 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC5.6:snmp 265
1Mar2001 6:33:46 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC2.7:snmp 265
1Mar2001 6:33:46 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC3.7:snmp 265
1Mar2001 6:33:46 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC4.7:snmp 265
1Mar2001 6:33:46 drop >hme0 udp 216.254.61.41:1077 -> AAA.BBB.CC5.7:snmp 265
An interesting pattern, he was trying the .1 address in each class C block,
then he either skipped or missed .2 before walking up to .7. Note that the
source port never changed which makes me think its a specialized scanning tool.
Unfortunately, I did not grab the contents of these packets, so I do not know
what this guy was actually looking for and what community string he might
have been trying. But like I said, my guess is that it's related to the Cisco
advisories from last week.
Did anyone else catch what this guy was looking for? Any other increases in
SNMP scans or exploit attempts?
--
Crist J. Clark Network Security Engineer
crist.clark () globalstar com Globalstar, L.P.
 By Date 
By Thread
Current thread:
- SNMP Scans Crist Clark (Mar 05)
|
Intro
